WEBVTT 1 00:00:00.120 --> 00:00:01.530 In this lesson, 2 00:00:01.530 --> 00:00:04.590 we will learn about threats to the model. 3 00:00:04.590 --> 00:00:08.850 Threats to the AI or artificial intelligence model 4 00:00:08.850 --> 00:00:13.080 are those that can compromise the integrity, security, 5 00:00:13.080 --> 00:00:16.560 or confidentiality of AI systems. 6 00:00:16.560 --> 00:00:21.560 The compromise of AI models can lead to incorrect decisions 7 00:00:21.870 --> 00:00:25.470 or unauthorized access to sensitive data. 8 00:00:25.470 --> 00:00:28.620 These threats are potential attack paths 9 00:00:28.620 --> 00:00:30.540 for malicious actors. 10 00:00:30.540 --> 00:00:33.870 Threats to the model include prompt injection, 11 00:00:33.870 --> 00:00:38.100 unsecured output handling, training data poisoning, 12 00:00:38.100 --> 00:00:42.510 model denial-of-service, supply chain vulnerabilities, 13 00:00:42.510 --> 00:00:45.690 model theft, and model inversion. 14 00:00:45.690 --> 00:00:47.580 Prompt injection occurs 15 00:00:47.580 --> 00:00:50.640 when an attacker manipulates input prompts 16 00:00:50.640 --> 00:00:53.280 to alter the model's behavior. 17 00:00:53.280 --> 00:00:56.850 Unsecured output handling is the improper management 18 00:00:56.850 --> 00:00:59.580 of AI generated outputs. 19 00:00:59.580 --> 00:01:01.980 Next, training data poisoning 20 00:01:01.980 --> 00:01:05.340 is the intentional manipulation of training data 21 00:01:05.340 --> 00:01:09.030 to skew the model's predictions or performance. 22 00:01:09.030 --> 00:01:11.400 Model denial-of-service attacks 23 00:01:11.400 --> 00:01:14.430 aim to overwhelm the AI system, 24 00:01:14.430 --> 00:01:17.760 preventing legitimate users from using it. 25 00:01:17.760 --> 00:01:20.670 Next, supply chain vulnerabilities 26 00:01:20.670 --> 00:01:23.070 emerge when compromised components 27 00:01:23.070 --> 00:01:27.030 or third-party libraries used in model development 28 00:01:27.030 --> 00:01:31.410 are exploited to insert malicious code, backdoors, 29 00:01:31.410 --> 00:01:35.310 or alter functionality of the AI system. 30 00:01:35.310 --> 00:01:38.670 Model theft is the unauthorized extraction 31 00:01:38.670 --> 00:01:41.490 of a model's intellectual property. 32 00:01:41.490 --> 00:01:44.340 And finally, model inversion 33 00:01:44.340 --> 00:01:47.910 allows attackers to reconstruct sensitive data 34 00:01:47.910 --> 00:01:52.910 used during AI training by analyzing the model's outputs. 35 00:01:53.070 --> 00:01:55.680 Let's learn more about prompt injection, 36 00:01:55.680 --> 00:01:59.700 unsecured output handling, training data poisoning, 37 00:01:59.700 --> 00:02:03.930 model denial-of-service, supply chain vulnerabilities, 38 00:02:03.930 --> 00:02:07.290 model theft, and model inversion. 39 00:02:07.290 --> 00:02:10.350 First, we have prompt injection. 40 00:02:10.350 --> 00:02:12.330 Prompt injection is an attack 41 00:02:12.330 --> 00:02:16.530 where an attacker manipulates the input to an AI model 42 00:02:16.530 --> 00:02:19.050 to alter its intended behavior 43 00:02:19.050 --> 00:02:22.680 and produce harmful or unintended results. 44 00:02:22.680 --> 00:02:26.220 For instance, in a customer service chat bot, 45 00:02:26.220 --> 00:02:30.060 an attacker might craft a prompt that tricks the chat bot 46 00:02:30.060 --> 00:02:33.690 into providing confidential company information 47 00:02:33.690 --> 00:02:36.390 or giving harmful advice. 48 00:02:36.390 --> 00:02:40.890 By subtly embedding manipulative inputs within the prompt, 49 00:02:40.890 --> 00:02:43.410 attackers can steer the model away 50 00:02:43.410 --> 00:02:47.880 from its intended purpose, leading to security breaches 51 00:02:47.880 --> 00:02:51.300 or the dissemination of incorrect information. 52 00:02:51.300 --> 00:02:56.070 So effective prompt filtering and regular model validation 53 00:02:56.070 --> 00:02:59.160 are needed to defend against prompt injection. 54 00:02:59.160 --> 00:03:02.430 Second, we have unsecured output handling. 55 00:03:02.430 --> 00:03:05.280 Unsecured output handling is a vulnerability 56 00:03:05.280 --> 00:03:08.460 that occurs when AI generated outputs 57 00:03:08.460 --> 00:03:11.760 are not properly managed or safeguarded, 58 00:03:11.760 --> 00:03:13.920 leading to information leaks 59 00:03:13.920 --> 00:03:17.160 or the execution of harmful commands. 60 00:03:17.160 --> 00:03:20.100 For example, if an AI assistant 61 00:03:20.100 --> 00:03:23.490 generates responses containing sensitive details 62 00:03:23.490 --> 00:03:27.210 like personal data, attackers could exploit this 63 00:03:27.210 --> 00:03:29.430 by requesting specific outputs 64 00:03:29.430 --> 00:03:32.610 that expose that confidential information. 65 00:03:32.610 --> 00:03:34.500 By leaving outputs unsecured, 66 00:03:34.500 --> 00:03:38.700 sensitive data becomes vulnerable to unauthorized access. 67 00:03:38.700 --> 00:03:42.510 So using secure protocols and output monitoring 68 00:03:42.510 --> 00:03:44.730 mitigate the risks associated 69 00:03:44.730 --> 00:03:47.280 with unsecured output handling. 70 00:03:47.280 --> 00:03:50.460 Third, we have training data poisoning. 71 00:03:50.460 --> 00:03:52.380 Training data poisoning happens 72 00:03:52.380 --> 00:03:56.280 when attackers intentionally manipulate training data 73 00:03:56.280 --> 00:04:00.720 to distort the AI model's predictions or functionality. 74 00:04:00.720 --> 00:04:04.410 An attacker could, for example, inject bias 75 00:04:04.410 --> 00:04:08.280 or misleading data into an AI system 76 00:04:08.280 --> 00:04:10.770 used for content moderation, 77 00:04:10.770 --> 00:04:15.360 leading to the model incorrectly approving harmful content 78 00:04:15.360 --> 00:04:18.090 or censoring benign posts. 79 00:04:18.090 --> 00:04:21.870 This type of poisoning can erode trust in the model 80 00:04:21.870 --> 00:04:24.570 and result in biased decisions. 81 00:04:24.570 --> 00:04:28.500 So regularly auditing and securing training data 82 00:04:28.500 --> 00:04:30.540 helps prevent such attacks 83 00:04:30.540 --> 00:04:34.200 and ensures the integrity of the AI model. 84 00:04:34.200 --> 00:04:37.980 Fourth, we have model denial-of-service. 85 00:04:37.980 --> 00:04:40.080 Model denial-of-service attacks 86 00:04:40.080 --> 00:04:44.820 aim to overwhelm the AI model with excessive requests, 87 00:04:44.820 --> 00:04:48.240 preventing legitimate users from accessing it. 88 00:04:48.240 --> 00:04:50.700 For instance, attackers might flood 89 00:04:50.700 --> 00:04:53.430 an online image recognition tool 90 00:04:53.430 --> 00:04:55.890 with a high volume of requests, 91 00:04:55.890 --> 00:04:59.430 causing the system to slow down or crash. 92 00:04:59.430 --> 00:05:04.050 This type of attack can render the AI service unavailable, 93 00:05:04.050 --> 00:05:07.770 disrupting operations and user access. 94 00:05:07.770 --> 00:05:09.930 So implementing rate limiting 95 00:05:09.930 --> 00:05:12.960 and monitoring for unusual activity 96 00:05:12.960 --> 00:05:17.640 can defend against denial-of-service attacks on AI models. 97 00:05:17.640 --> 00:05:21.390 Fifth, we have supply chain vulnerabilities. 98 00:05:21.390 --> 00:05:23.910 Supply chain vulnerabilities arise 99 00:05:23.910 --> 00:05:25.980 when third-party components 100 00:05:25.980 --> 00:05:30.980 or libraries used in developing an AI model are compromised. 101 00:05:31.110 --> 00:05:36.110 For example, if an AI developer uses a pre-trained model 102 00:05:36.270 --> 00:05:38.370 from an untrusted source, 103 00:05:38.370 --> 00:05:42.120 attackers could have embedded malicious code within it, 104 00:05:42.120 --> 00:05:43.920 allowing them to manipulate 105 00:05:43.920 --> 00:05:47.370 the AI's behavior or access data. 106 00:05:47.370 --> 00:05:52.170 Such vulnerabilities expose the model to unexpected risks. 107 00:05:52.170 --> 00:05:57.030 So regularly vetting and verifying third-party components 108 00:05:57.030 --> 00:06:00.660 used in AI development reduces the risks 109 00:06:00.660 --> 00:06:04.290 associated with supply chain vulnerabilities. 110 00:06:04.290 --> 00:06:07.350 Sixth, we have model theft. 111 00:06:07.350 --> 00:06:10.500 Model theft occurs when an attacker extracts 112 00:06:10.500 --> 00:06:13.650 an AI model's intellectual property, 113 00:06:13.650 --> 00:06:17.670 allowing unauthorized replication or misuse. 114 00:06:17.670 --> 00:06:22.670 For example, an attacker could repeatedly query an AI model 115 00:06:22.680 --> 00:06:25.920 for predictions and use the responses 116 00:06:25.920 --> 00:06:28.320 to create a duplicate model. 117 00:06:28.320 --> 00:06:32.190 Model theft can result in intellectual property loss 118 00:06:32.190 --> 00:06:37.190 and enable competitors to replicate proprietary technology. 119 00:06:37.230 --> 00:06:41.070 So employing encryption and access controls 120 00:06:41.070 --> 00:06:45.390 can help secure models against unauthorized execution. 121 00:06:45.390 --> 00:06:49.590 Seventh and last, we have model inversion. 122 00:06:49.590 --> 00:06:52.470 Model inversion attacks allow attackers 123 00:06:52.470 --> 00:06:57.000 to reconstruct sensitive data from the model's outputs, 124 00:06:57.000 --> 00:07:01.860 potentially exposing personal or proprietary information 125 00:07:01.860 --> 00:07:03.780 used during training. 126 00:07:03.780 --> 00:07:08.310 For instance, by analyzing an AI model's responses, 127 00:07:08.310 --> 00:07:11.520 an attacker could reverse engineer data points, 128 00:07:11.520 --> 00:07:15.600 such as user demographics that were used in its training. 129 00:07:15.600 --> 00:07:20.220 This can lead to privacy violations and data breaches, 130 00:07:20.220 --> 00:07:22.620 compromising user trust. 131 00:07:22.620 --> 00:07:25.950 So techniques like differential privacy 132 00:07:25.950 --> 00:07:29.850 can reduce the likelihood of successful model inversion 133 00:07:29.850 --> 00:07:33.840 by carefully adding calibrated noise to the data, 134 00:07:33.840 --> 00:07:36.000 making it difficult for attackers 135 00:07:36.000 --> 00:07:38.730 to extract precise information. 136 00:07:38.730 --> 00:07:41.730 This approach safeguards sensitive data 137 00:07:41.730 --> 00:07:46.730 by ensuring that individual details remain unidentifiable 138 00:07:46.740 --> 00:07:48.990 within the broader dataset. 139 00:07:48.990 --> 00:07:53.990 So remember, threats to AI or artificial intelligence models 140 00:07:55.200 --> 00:07:59.670 present risks that can compromise the security, integrity, 141 00:07:59.670 --> 00:08:03.120 and confidentiality of AI systems. 142 00:08:03.120 --> 00:08:06.960 These threats can lead to unauthorized access, 143 00:08:06.960 --> 00:08:10.560 biased decisions, or data breaches, 144 00:08:10.560 --> 00:08:14.340 opening attack paths for malicious actors. 145 00:08:14.340 --> 00:08:17.520 Vulnerabilities include prompt injection, 146 00:08:17.520 --> 00:08:21.960 unsecured output handling, and training data poisoning, 147 00:08:21.960 --> 00:08:25.440 where attackers manipulate inputs, outputs, 148 00:08:25.440 --> 00:08:29.160 or training data to alter model behavior. 149 00:08:29.160 --> 00:08:32.670 Other threats like model denial-of-service attacks 150 00:08:32.670 --> 00:08:35.070 and supply chain vulnerabilities 151 00:08:35.070 --> 00:08:37.410 target system availability 152 00:08:37.410 --> 00:08:42.270 or exploit third-party components to insert malicious code. 153 00:08:42.270 --> 00:08:45.510 Finally, model theft and model inversion 154 00:08:45.510 --> 00:08:47.820 expose the intellectual property 155 00:08:47.820 --> 00:08:51.420 and sensitive data within AI models, 156 00:08:51.420 --> 00:08:55.500 underscoring the need for strong security protocols 157 00:08:55.500 --> 00:08:59.583 to protect AI systems and user trust.